CWE hub

CWE-838 vulnerabilities

This hub groups CVEs that NVD maps to CWE-838, so you can review recent disclosures, common vendors, and related weakness patterns in one place.

RSS View CWE-838 on MITRE

Definition mirrored from MITRE CWE (MITRE CWE 4.13). CVE list is sourced live from NVD.

Mapped CVEs

Records currently returned for this weakness id.

Top vendor

cpanel

1 mapped CVEs in the aggregate scan.

Weakness roll-up for CWE-838

Showing 1-8 of 8 vulnerabilities.

CWE: CWE-838

Sort current page

CVE-2024-34006MediumCVSS4.3Published May 31, 2024

The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered.

Affected vendor

moodle

Affected product

moodle

Coverage

3 affected product entries

CVSS

4.3

MEDIUM

Published

May 31, 2024

CVE-2023-5770MediumCVSS5.3Published Jan 9, 2024

Proofpoint Enterprise Protection contains a vulnerability in the email delivery agent that allows an unauthenticated attacker to inject improperly encoded HTML into the email body of a message through the email subject. The vulnerability is caused by inappropriate encoding when rewriting the email before delivery.This issue affects Proofpoint Enterprise Protection: from 8.20.2 before patch 4809, from 8.20.0 before patch 4805, from 8.18.6 before patch 4804 and all other prior versions.

Affected vendor

proofpoint

Affected product

enterprise protection

Coverage

3 affected product entries

CVSS

5.3

MEDIUM

Published

Jan 9, 2024

CVE-2020-29135MediumCVSS4.1Published Nov 27, 2020

cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).

Affected vendor

cpanel

Affected product

cpanel

Coverage

Single affected product entry

CVSS

4.1

MEDIUM

Published

Nov 27, 2020

CVE-2020-7292MediumCVSS4.3Published Jul 15, 2020

Inappropriate Encoding for output context vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1 allows a remote attacker to cause MWG to return an ambiguous redirect response via getting a user to click on a malicious URL.

Affected vendor

mcafee

Affected product

web gateway

Coverage

3 affected product entries

CVSS

4.3

MEDIUM

Published

Jul 15, 2020

CVE-2020-10996HighCVSS8.1Published Apr 27, 2020

An issue was discovered in Percona XtraDB Cluster before 5.7.28-31.41.2. A bundled script inadvertently sets a static transition_key for SST processes in place of the random key expected.

Affected vendor

percona

Affected product

xtradb cluster

Coverage

Single affected product entry

CVSS

8.1

HIGH

Published

Apr 27, 2020

CVE-2019-18981CriticalCVSS9.8Published Nov 15, 2019

Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification.

Affected vendor

pimcore

Affected product

pimcore

Coverage

Single affected product entry

CVSS

9.8

CRITICAL

Published

Nov 15, 2019

CVE-2019-6110MediumCVSS6.8Published Jan 31, 2019

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.

Affected vendor

openbsd

Affected product

openssh

Coverage

7 affected product entries

CVSS

6.8

MEDIUM

Published

Jan 31, 2019

CVE-2018-9862HighCVSS7.8Published Apr 9, 2018

util.c in runV 1.0.0 for Docker mishandles a numeric username, which allows attackers to obtain root access by leveraging the presence of an initial numeric value on an /etc/passwd line, and then issuing a "docker exec" command with that value in the -u argument, a similar issue to CVE-2016-3697.

Affected vendor

hyper

Affected product

runv

Coverage

Single affected product entry

CVSS

7.8

HIGH

Published

Apr 9, 2018